Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-03-08 14:16:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

14.1: move n-netd cherry picks in tree

Browse Source
This commit is contained in:
Tad 2020-07-13 20:15:08 -04:00
parent 820a680d4d
commit 2675404f86
15 changed files with 682 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
Patches/LineageOS-14.1/android_system_netd/244387.patch Normal file
View File

@ -0,0 +1,134 @@
From 0cd7a28a999b9be67251989f8d434dde172157bd Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 30 Mar 2017 02:50:09 +0900
Subject: [PATCH] Really always allow networking on loopback.
https://android-review.googlesource.com/#/c/294359/ attempted to
allow networking on loopback, but actually does not do anything
because no packet has both -i lo and -o lo: loopback packets have
-i lo in INPUT and -o lo in OUTPUT.
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
Test: originated and received traffic is not matched by new rules
Bug: 34444781
Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
---
server/FirewallController.cpp | 3 ++-
server/FirewallControllerTest.cpp | 15 ++++++++++-----
tests/binder_test.cpp | 16 ++++++++--------
3 files changed, 20 insertions(+), 14 deletions(-)
diff --git a/server/FirewallController.cpp b/server/FirewallController.cpp
index 826cf758..ffc99e16 100644
--- a/server/FirewallController.cpp
+++ b/server/FirewallController.cpp
@@ -301,7 +301,8 @@ std::string FirewallController::makeUidRules(IptablesTarget target, const char *
StringAppendF(&commands, "*filter\n:%s -\n", name);
// Always allow networking on loopback.
- StringAppendF(&commands, "-A %s -i lo -o lo -j RETURN\n", name);
+ StringAppendF(&commands, "-A %s -i lo -j RETURN\n", name);
+ StringAppendF(&commands, "-A %s -o lo -j RETURN\n", name);
// Allow TCP RSTs so we can cleanly close TCP connections of apps that no longer have network
// access. Both incoming and outgoing RSTs are allowed.
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp
index 7d96c61c..ba449db0 100644
--- a/server/FirewallControllerTest.cpp
+++ b/server/FirewallControllerTest.cpp
@@ -56,7 +56,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
std::vector<std::string> expectedRestore4 = {
"*filter",
":fw_whitelist -",
- "-A fw_whitelist -i lo -o lo -j RETURN",
+ "-A fw_whitelist -i lo -j RETURN",
+ "-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
"-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN",
"-A fw_whitelist -j DROP",
@@ -65,7 +66,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) {
std::vector<std::string> expectedRestore6 = {
"*filter",
":fw_whitelist -",
- "-A fw_whitelist -i lo -o lo -j RETURN",
+ "-A fw_whitelist -i lo -j RETURN",
+ "-A fw_whitelist -o lo -j RETURN",
"-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN",
"-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN",
"-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN",
@@ -95,7 +97,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) {
std::vector<std::string> expectedRestore = {
"*filter",
":fw_blacklist -",
- "-A fw_blacklist -i lo -o lo -j RETURN",
+ "-A fw_blacklist -i lo -j RETURN",
+ "-A fw_blacklist -o lo -j RETURN",
"-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN",
"COMMIT\n\x04"
};
@@ -141,7 +144,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) {
std::string expected =
"*filter\n"
":FW_whitechain -\n"
- "-A FW_whitechain -i lo -o lo -j RETURN\n"
+ "-A FW_whitechain -i lo -j RETURN\n"
+ "-A FW_whitechain -o lo -j RETURN\n"
"-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n"
"-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n"
"-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n"
@@ -168,7 +172,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) {
std::string expected =
"*filter\n"
":FW_blackchain -\n"
- "-A FW_blackchain -i lo -o lo -j RETURN\n"
+ "-A FW_blackchain -i lo -j RETURN\n"
+ "-A FW_blackchain -o lo -j RETURN\n"
"-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n"
"-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n"
"-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n"
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 5395f1d2..dcaf2302 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -176,31 +176,31 @@ TEST_F(BinderTest, TestFirewallReplaceUidChain) {
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), true, uids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ((int) uids.size() + 6, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ((int) uids.size() + 12, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 7, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 13, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op("Clearing whitelist chain");
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op(StringPrintf("Programming %d-UID blacklist chain", kNumUids));
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, uids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ((int) uids.size() + 4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ((int) uids.size() + 5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
{
TimedOperation op("Clearing blacklist chain");
mNetd->firewallReplaceUidChain(String16(chainName.c_str()), false, noUids, &ret);
}
EXPECT_EQ(true, ret);
- EXPECT_EQ(4, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
- EXPECT_EQ(4, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IPTABLES_PATH, chainName.c_str()));
+ EXPECT_EQ(5, iptablesRuleLineLength(IP6TABLES_PATH, chainName.c_str()));
// Check that the call fails if iptables returns an error.
std::string veryLongStringName = "netd_binder_test_UnacceptablyLongIptablesChainName";

52
Patches/LineageOS-14.1/android_system_netd/244388.patch Normal file
View File

@ -0,0 +1,52 @@
From 297e6f85ac174825505970e62b4a1f39f84ef3ac Mon Sep 17 00:00:00 2001
From: Joel Scherpelz <jscherpelz@google.com>
Date: Wed, 14 Jun 2017 10:27:47 +0900
Subject: [PATCH] BACKPORT: Avoid netlink socket address conflict
NetlinkManager previously bound all netlink sockets with nl_pid =
getpid(). Unfortunately only the first such socket is allowed to claim
nl_pid = getpid(). The kernel is happy to assign this value
automatically if nl_pid = 0. For more information on nl_pid see "man 7
netlink".
When NFLogListener was added, it created a socket with a kernel assigned
nl_pid, unfortunately the kernel assigns getpid() to the first such
socket and listener was initialized earlier in the startup process than
NetlinkManager.
This change alters NetlinkManager to request a kernel assigned nl_pid and
defensively moves the initialization of NFLogListener later in the
startup sequence to favor proper operation of existing code in
NetlinkManager. Error logging is also slightly improved.
Test: as follows
- built
- flashed
- booted
- "runtest -x .../netd_unit_test.cpp" passes
- "cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases -t
android.os.cts.StrictModeTest" passes
Bug: 62353125
[syphyr: Removed NFLogListener changes]
Signed-off-by: L.W. Reek <syphyr@gmail.com>
Change-Id: I9c1c76e5769de75ff624bf43634ac4061c447a72
---
server/NetlinkManager.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/server/NetlinkManager.cpp b/server/NetlinkManager.cpp
index 769a80ae..5e6eaba8 100644
--- a/server/NetlinkManager.cpp
+++ b/server/NetlinkManager.cpp
@@ -73,7 +73,8 @@ NetlinkHandler *NetlinkManager::setupSocket(int *sock, int netlinkFamily,
memset(&nladdr, 0, sizeof(nladdr));
nladdr.nl_family = AF_NETLINK;
- nladdr.nl_pid = getpid();
+ // Kernel will assign a unique nl_pid if set to zero.
+ nladdr.nl_pid = 0;
nladdr.nl_groups = groups;
if ((*sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, netlinkFamily)) < 0) {

68
Patches/LineageOS-14.1/android_system_netd/245690.patch Normal file
View File

@ -0,0 +1,68 @@
From af314f68701a4d6c06ac1b9a09feddcff5e7eb73 Mon Sep 17 00:00:00 2001
From: Sehee Park <sehee32.park@samsung.com>
Date: Wed, 26 Dec 2018 07:28:23 +0900
Subject: [PATCH] Fix fortify_fatal issue during DNSServiceProcessResult()
fd was checked at beginnig of DNSServiceProcessResult()
but fd was changed to -1. So, fortify_fatal was occured
when FD_SET() was called.
Abort message: 'FORTIFY: FD_SET: file descriptor -1 < 0'
Test: Build
Bug: 120910016
Bug: 121327565
Change-Id: Ib4c8dcc08223578fb53647637b44a20a4c221050
Merged-In: Ib4c8dcc08223578fb53647637b44a20a4c221050
Signed-off-by: Sehee Park <sehee32.park@samsung.com>
(cherry picked from commit 3eeb0e6b86ac8a7f00968d0a086381e7dcd8cc2b)
---
server/MDnsSdListener.cpp | 10 +++++++++-
server/MDnsSdListener.h | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index 883fe815..e3fd66a0 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -146,7 +146,7 @@ void MDnsSdListener::Handler::stop(SocketClient *cli, int argc, char **argv, con
return;
}
if (VDBG) ALOGD("Stopping %s with ref %p", str, ref);
- DNSServiceRefDeallocate(*ref);
+ mMonitor->deallocateServiceRef(ref);
mMonitor->freeServiceRef(requestId);
char *msg;
asprintf(&msg, "%s stopped", str);
@@ -617,7 +617,9 @@ void MDnsSdListener::Monitor::run() {
ALOGD("Monitor found [%d].revents = %d - calling ProcessResults",
i, mPollFds[i].revents);
}
+ pthread_mutex_lock(&mHeadMutex);
DNSServiceProcessResult(*(mPollRefs[i]));
+ pthread_mutex_unlock(&mHeadMutex);
mPollFds[i].revents = 0;
}
}
@@ -769,3 +771,9 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
}
pthread_mutex_unlock(&mHeadMutex);
}
+
+void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
+ pthread_mutex_lock(&mHeadMutex);
+ DNSServiceRefDeallocate(*ref);
+ pthread_mutex_unlock(&mHeadMutex);
+}
\ No newline at end of file
diff --git a/server/MDnsSdListener.h b/server/MDnsSdListener.h
index e9c6066a..a107d3b8 100644
--- a/server/MDnsSdListener.h
+++ b/server/MDnsSdListener.h
@@ -76,6 +76,7 @@ class MDnsSdListener : public FrameworkListener {
static void *threadStart(void *handler);
int startService();
int stopService();
+ void deallocateServiceRef(DNSServiceRef* ref);
private:
void run();
int rescan(); // returns the number of elements in the poll

32
Patches/LineageOS-14.1/android_system_netd/245691.patch Normal file
View File

@ -0,0 +1,32 @@
From 5f01e7f21f155a6b13a5ce659bac1fc03735a5e9 Mon Sep 17 00:00:00 2001
From: Ken Chen <cken@google.com>
Date: Sat, 26 Jan 2019 19:17:00 +0800
Subject: [PATCH] Clear Element.mRef immediately after deallocating it
DNSServiceRefDeallocate() and pointer dereferencing in request handler
thread are protected by two separate lock/unlock pairs on mHeadMutex.
If rescan() runs between these, it could dereference mRef, causing
a heap-use-after-free bug.
Solution: set mRef to null immediately after freeing it.
Bug: 121327565
Test: build
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7
(cherry picked from commit 9762bc1964a37ec56091ee2b6070e19c5206f615)
---
server/MDnsSdListener.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/server/MDnsSdListener.cpp b/server/MDnsSdListener.cpp
index e3fd66a0..563e0207 100644
--- a/server/MDnsSdListener.cpp
+++ b/server/MDnsSdListener.cpp
@@ -775,5 +775,6 @@ void MDnsSdListener::Monitor::freeServiceRef(int id) {
void MDnsSdListener::Monitor::deallocateServiceRef(DNSServiceRef* ref) {
pthread_mutex_lock(&mHeadMutex);
DNSServiceRefDeallocate(*ref);
+ *ref = nullptr;
pthread_mutex_unlock(&mHeadMutex);
}
\ No newline at end of file

129
Patches/LineageOS-14.1/android_system_netd/264479.patch Normal file
View File

@ -0,0 +1,129 @@
From 73e902f57aae15f4d79ed57f46326fb5a0136c94 Mon Sep 17 00:00:00 2001
From: Erik Kline <ek@google.com>
Date: Thu, 24 Nov 2016 08:30:34 +0900
Subject: [PATCH] Cache flushing no longer occurs updating DNS for a single
netid
Test: runtest netd_integration_test.cpp
Bug: 32517984
Change-Id: I6a82824ab423a07797291e7b4701350c88809117
---
tests/netd_test.cpp | 102 ++++++++++++++++++++++----------------------
1 file changed, 51 insertions(+), 51 deletions(-)
diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp
index a958cd90..97a96b9a 100644
--- a/tests/netd_test.cpp
+++ b/tests/netd_test.cpp
@@ -386,60 +386,60 @@ TEST_F(ResolverTest, GetAddrInfo) {
dns2.addMapping(host_name, ns_type::ns_t_aaaa, "::1.2.3.4");
ASSERT_TRUE(dns2.startServer());
- for (size_t i = 0 ; i < 1000 ; ++i) {
- std::vector<std::string> servers = { listen_addr };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
- dns.clearQueries();
- dns2.clearQueries();
-
- EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
- size_t found = GetNumQueries(dns, host_name);
- EXPECT_LE(1U, found);
- // Could be A or AAAA
- std::string result_str = ToString(result);
- EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
- << ", result_str='" << result_str << "'";
- // TODO: Use ScopedAddrinfo or similar once it is available in a common header file.
- if (result) {
- freeaddrinfo(result);
- result = nullptr;
- }
- // Verify that the name is cached.
- size_t old_found = found;
- EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
- found = GetNumQueries(dns, host_name);
- EXPECT_LE(1U, found);
- EXPECT_EQ(old_found, found);
- result_str = ToString(result);
- EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
- << result_str;
- if (result) {
- freeaddrinfo(result);
- result = nullptr;
- }
+ std::vector<std::string> servers = { listen_addr };
+ ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ dns.clearQueries();
+ dns2.clearQueries();
+
+ EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
+ size_t found = GetNumQueries(dns, host_name);
+ EXPECT_LE(1U, found);
+ // Could be A or AAAA
+ std::string result_str = ToString(result);
+ EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
+ << ", result_str='" << result_str << "'";
+ // TODO: Use ScopedAddrinfo or similar once it is available in a common header file.
+ if (result) {
+ freeaddrinfo(result);
+ result = nullptr;
+ }
- // Change the DNS resolver, ensure that queries are no longer cached.
- servers = { listen_addr2 };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
- dns.clearQueries();
- dns2.clearQueries();
-
- EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
- found = GetNumQueries(dns, host_name);
- size_t found2 = GetNumQueries(dns2, host_name);
- EXPECT_EQ(0U, found);
- EXPECT_LE(1U, found2);
-
- // Could be A or AAAA
- result_str = ToString(result);
- EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
- << ", result_str='" << result_str << "'";
- if (result) {
- freeaddrinfo(result);
- result = nullptr;
- }
+ // Verify that the name is cached.
+ size_t old_found = found;
+ EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
+ found = GetNumQueries(dns, host_name);
+ EXPECT_LE(1U, found);
+ EXPECT_EQ(old_found, found);
+ result_str = ToString(result);
+ EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
+ << result_str;
+ if (result) {
+ freeaddrinfo(result);
+ result = nullptr;
}
+
+ // Change the DNS resolver, ensure that queries are still cached.
+ servers = { listen_addr2 };
+ ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ dns.clearQueries();
+ dns2.clearQueries();
+
+ EXPECT_EQ(0, getaddrinfo("howdy", nullptr, nullptr, &result));
+ found = GetNumQueries(dns, host_name);
+ size_t found2 = GetNumQueries(dns2, host_name);
+ EXPECT_EQ(0U, found);
+ EXPECT_LE(0U, found2);
+
+ // Could be A or AAAA
+ result_str = ToString(result);
+ EXPECT_TRUE(result_str == "1.2.3.4" || result_str == "::1.2.3.4")
+ << ", result_str='" << result_str << "'";
+ if (result) {
+ freeaddrinfo(result);
+ result = nullptr;
+ }
+
dns.stopServer();
dns2.stopServer();
}

28
Patches/LineageOS-14.1/android_system_netd/264480.patch Normal file
View File

@ -0,0 +1,28 @@
From 7aee5e85160c025a6d3f0460f4482aadb985c0f3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 19 Nov 2016 09:09:16 -0800
Subject: [PATCH] TetherController.cpp: add O_CLOEXEC
Don't leak open file descriptors across execs to netd's children. This
can occur in the unlikely but theoretically possible event that one
thread is in writeToFile() and another thread happens to call exec().
Test: device boots with no obvious problems.
Change-Id: Iabd8eee46bf94d70894ca46e58484ccb8241513a
---
server/TetherController.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/TetherController.cpp b/server/TetherController.cpp
index 3cc46368..65c88ede 100644
--- a/server/TetherController.cpp
+++ b/server/TetherController.cpp
@@ -46,7 +46,7 @@ const char IPV6_FORWARDING_PROC_FILE[] = "/proc/sys/net/ipv6/conf/all/forwarding
const char SEPARATOR[] = "|";
bool writeToFile(const char* filename, const char* value) {
- int fd = open(filename, O_WRONLY);
+ int fd = open(filename, O_WRONLY | O_CLOEXEC);
if (fd < 0) {
ALOGE("Failed to open %s: %s", filename, strerror(errno));
return false;

30
Patches/LineageOS-14.1/android_system_netd/264481.patch Normal file
View File

@ -0,0 +1,30 @@
From bea94d341f8c3da6611e959b4732accbb079cab1 Mon Sep 17 00:00:00 2001
From: Manoj Gupta <manojgupta@google.com>
Date: Tue, 22 Nov 2016 21:15:59 -0800
Subject: [PATCH] Fix clang static analyzer warnings.
system/netd/server/NetlinkHandler.cpp:218:12: warning: Dereference of
null pointer (loaded from variable 'gateway')
Test: Warning no longer appears
Change-Id: Idaa08940c990f7d572e855e77982ffd57a032dd4
---
server/NetlinkHandler.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/NetlinkHandler.cpp b/server/NetlinkHandler.cpp
index 19de240a..e9a11bab 100644
--- a/server/NetlinkHandler.cpp
+++ b/server/NetlinkHandler.cpp
@@ -215,9 +215,9 @@ void NetlinkHandler::notifyRouteChange(NetlinkEvent::Action action, const char *
"Route %s %s%s%s%s%s",
(action == NetlinkEvent::Action::kRouteUpdated) ? kUpdated : kRemoved,
route,
- *gateway ? " via " : "",
+ (gateway && *gateway) ? " via " : "",
gateway,
- *iface ? " dev " : "",
+ (iface && *iface) ? " dev " : "",
iface);
}

40
Patches/LineageOS-14.1/android_system_netd/264482.patch Normal file
View File

@ -0,0 +1,40 @@
From 147d0470f98c5f5f938892bbc5bb640e115fdb98 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 20 Dec 2016 08:40:35 -0800
Subject: [PATCH] SockDiag.cpp: Add O_CLOEXEC to tcpdiag sockets
Add O_CLOEXEC to NETLINK_INET_DIAG sockets. This ensures that the file
descriptors associated with these sockets do not leak across an exec()
boundary. Please see "man 2 open" for a description of why this is
desirable.
Addresses the following SELinux denial:
avc: denied { read write } for comm="clatd" path="socket:[902062]"
dev="sockfs" ino=902062 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0
tclass=netlink_tcpdiag_socket permissive=0
which occurs when netd executes clatd and inadvertantly leaks the file
descriptors to that process.
Test: Android compiles and boots, and no obvious errors
Change-Id: Ic5662fa8df6884e7002a0ec89839fe90abe05574
---
server/SockDiag.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/server/SockDiag.cpp b/server/SockDiag.cpp
index 11711afa..630e379d 100644
--- a/server/SockDiag.cpp
+++ b/server/SockDiag.cpp
@@ -73,8 +73,8 @@ bool SockDiag::open() {
return false;
}
- mSock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG);
- mWriteSock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG);
+ mSock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_INET_DIAG);
+ mWriteSock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_CLOEXEC, NETLINK_INET_DIAG);
if (!hasSocks()) {
closeSocks();
return false;

41
Patches/LineageOS-14.1/android_system_netd/264483.patch Normal file
View File

@ -0,0 +1,41 @@
From 3c272f5a65fa8ebabb22bd344ff65c14be47183c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 20 Dec 2016 06:51:32 -0800
Subject: [PATCH] FwMarkServer.cpp: Add O_CLOEXEC to received FDs
Add O_CLOEXEC to file descriptors received via the fwmark service. This
prevents netd's file descriptors from leaking across an exec() boundary,
and may address the following non-reproducible SELinux denials:
avc: denied { use } for comm="clatd" path="socket:[860297]" dev="sockfs"
ino=860297 scontext=u:r:clatd:s0 tcontext=u:r:untrusted_app:s0:c512,c768
tclass=fd permissive=0
avc: denied { read write } for comm="clatd" path="socket:[1414454]"
dev="sockfs" ino=1414454 scontext=u:r:clatd:s0
tcontext=u:r:system_server:s0 tclass=tcp_socket permissive=0
avc: denied { use } for comm="clatd" path="socket:[681600]" dev="sockfs"
ino=681600 scontext=u:r:clatd:s0 tcontext=u:r:priv_app:s0:c512,c768
tclass=fd permissive=0
Test: Device boots and no obvious problems
Test: /data/nativetest/netd_integration_test/netd_integration_test passed
Change-Id: I866b1ee0693516b46269c7106e7fc1f85b017639
---
server/FwmarkServer.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/FwmarkServer.cpp b/server/FwmarkServer.cpp
index 80df03f4..38a116d6 100644
--- a/server/FwmarkServer.cpp
+++ b/server/FwmarkServer.cpp
@@ -74,7 +74,7 @@ int FwmarkServer::processClient(SocketClient* client, int* socketFd) {
message.msg_control = cmsgu.cmsg;
message.msg_controllen = sizeof(cmsgu.cmsg);
- int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, 0));
+ int messageLength = TEMP_FAILURE_RETRY(recvmsg(client->getSocket(), &message, MSG_CMSG_CLOEXEC));
if (messageLength <= 0) {
return -errno;
}

54
Patches/LineageOS-14.1/android_system_netd/264484.patch Normal file
View File

@ -0,0 +1,54 @@
From 2b418c7cdced80f2ecd0e31b357970d51d9e4b25 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Sat, 21 Jan 2017 15:00:36 +0900
Subject: [PATCH] Log the time it takes netd to start up.
Currently on, bullhead-eng, I see:
01-21 14:59:26.174 21421 21421 I Netd : Netd started in 2432ms
Test: restarted netd and observed log message.
Bug: 32323979
Bug: 33279878
Change-Id: I7195d06d7ed1a09858185555f60b07e5bfe306ed
---
server/main.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/server/main.cpp b/server/main.cpp
index ae3a71a3..aab15d66 100644
--- a/server/main.cpp
+++ b/server/main.cpp
@@ -18,6 +18,7 @@
#include <stdlib.h>
#include <signal.h>
#include <errno.h>
+#include <math.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -40,6 +41,7 @@
#include "NetdConstants.h"
#include "NetdNativeService.h"
#include "NetlinkManager.h"
+#include "Stopwatch.h"
#include "DnsProxyListener.h"
#include "MDnsSdListener.h"
#include "FwmarkServer.h"
@@ -63,6 +65,7 @@ android::RWLock android::net::gBigNetdLock;
int main() {
using android::net::gCtls;
+ Stopwatch s;
ALOGI("Netd 1.0 starting");
remove_pid_file();
@@ -122,6 +125,8 @@ int main() {
write_pid_file();
+ ALOGI("Netd started in %dms", static_cast<int>(s.timeTaken()));
+
IPCThreadState::self()->joinThreadPool();
ALOGI("Netd exiting");

24
Patches/LineageOS-14.1/android_system_netd/264572.patch Normal file
View File

@ -0,0 +1,24 @@
From 0dfec203ee3b024ab9ff3d7d5c40c2cdf2db81e2 Mon Sep 17 00:00:00 2001
From: Chih-Hung Hsieh <chh@google.com>
Date: Fri, 6 May 2016 10:36:13 -0700
Subject: [PATCH] Fix google-explicit-constructor warnings.
Bug: 28341362
Change-Id: Idadc9ad22fdd9d014c8fe0522c89b6ec9d05ae98
---
tests/binder_test.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index dcaf2302..1018e00e 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -105,7 +105,7 @@ char BinderTest::sDstStr[INET6_ADDRSTRLEN];
class TimedOperation : public Stopwatch {
public:
- TimedOperation(std::string name): mName(name) {}
+ explicit TimedOperation(const std::string &name): mName(name) {}
virtual ~TimedOperation() {
fprintf(stderr, " %s: %6.1f ms\n", mName.c_str(), timeTaken());
}

46
Patches/LineageOS-14.1/android_system_netd/264573.patch Normal file
View File

@ -0,0 +1,46 @@
From b5c3fe8fac846e9e586f2c0454c1036099adaf27 Mon Sep 17 00:00:00 2001
From: Thurston Hou Yeen Dang <thurston@google.com>
Date: Wed, 1 Jun 2016 11:02:29 -0700
Subject: [PATCH] Unsigned integer overflow sanitization for netd/server
Enable unsigned-integer-overflow sanitization for netd/server
(libnetdaidl, netd, ndc).
This does not cause any aborts on CtsNetTestCases (includes
android.net.cts.VpnServiceTest), CtsNetTestCasesLegacyApi22, and
CtsNetTestCasesLegacyPermission22.
(Some tests are finicky and need to be re-run individually to pass; there is similar behavior on the unsanitized build.)
Change-Id: I021bae3cf20df7669822977d3221a44f207614a8
---
server/Android.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/server/Android.mk b/server/Android.mk
index 04b626f0..0c848e54 100644
--- a/server/Android.mk
+++ b/server/Android.mk
@@ -21,6 +21,7 @@ include $(CLEAR_VARS)
LOCAL_CFLAGS := -Wall -Werror
LOCAL_CLANG := true
+LOCAL_SANITIZE := unsigned-integer-overflow
LOCAL_MODULE := libnetdaidl
LOCAL_SHARED_LIBRARIES := \
libbinder \
@@ -47,6 +48,7 @@ LOCAL_C_INCLUDES := \
LOCAL_CLANG := true
LOCAL_CPPFLAGS := -std=c++11 -Wall -Werror
+LOCAL_SANITIZE := unsigned-integer-overflow
LOCAL_MODULE := netd
LOCAL_INIT_RC := netd.rc
@@ -134,6 +136,7 @@ include $(BUILD_EXECUTABLE)
include $(CLEAR_VARS)
LOCAL_CFLAGS := -Wall -Werror
+LOCAL_SANITIZE := unsigned-integer-overflow
LOCAL_CLANG := true
LOCAL_MODULE := ndc
LOCAL_SHARED_LIBRARIES := libcutils

2
PrebuiltApps

@ -1 +1 @@
Subproject commit b708c5479c9695f4658decbebe789f33f8586e99 Subproject commit 1efeeaca191c0033b57816b99caf0341c7dc97e3

1
Scripts/LineageOS-14.1/Functions.sh
View File

@ -118,7 +118,6 @@ patchWorkspace() {
#repopick 214125; #spellchecker: enable more wordlists #repopick 214125; #spellchecker: enable more wordlists
repopick -it n_asb_09-2018-qcom; repopick -it n_asb_09-2018-qcom;
repopick -it ibss-mode-nougat; repopick -it ibss-mode-nougat;
repopick -it n-netd;
repopick -i 280667 280668 280669; #n-asb-2020-07 repopick -i 280667 280668 280669; #n-asb-2020-07
export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails

3
Scripts/LineageOS-14.1/Patch.sh
View File

@ -183,6 +183,9 @@ git revert --no-edit 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f50
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS) patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
enterAndClear "system/netd";
git am "$DOS_PATCHES/android_system_netd/*.patch"; #n-netd
enterAndClear "system/sepolicy"; enterAndClear "system/sepolicy";
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc patch -p1 < "$DOS_PATCHES/android_system_sepolicy/248600.patch"; #restrict access to timing information in /proc
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices